https://github.com/e2b-dev/E2B ·
lang: python ·
LOC: ·
source: both
| Rule | Severity | Count |
|---|---|---|
AIC003 Duplicated implementation block across source files |
low | 30 |
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 25 |
MINED106 Phantom test coverage (assertion-free test) |
high | 25 |
MINED108 self.attribute used but never assigned in __init__ |
high | 25 |
MINED111 Bare except continues silently |
medium | 16 |
MINED118 Dockerfile FROM not pinned by sha256 digest |
high | 13 |
MINED116 GHA pull_request workflow leaks secrets to forks |
critical | 6 |
MINED062 Python Dataclass No Fields |
info | 4 |
MINED044 Js Console Log Prod |
info | 4 |
MINED050 Stub Only Function |
info | 4 |
JRN004
Consent is collected in UI without visible backend audit persistence
packages/js-sdk/src/envd/schema.gen.ts:56
· conf 0.78
Consent is collected in UI without visible backend audit persistenceMINED001
Bare Except Pass
CWE-755
packages/python-sdk/e2b/sandbox_async/commands/command_handle.py:143
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED001
Bare Except Pass
CWE-755
packages/python-sdk/e2b/sandbox_async/filesystem/watch_handle.py:39
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED001
Bare Except Pass
CWE-755
packages/python-sdk/e2b/sandbox_sync/commands/command_handle.py:121
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED016
Go Error Ignored
CWE-754
packages/connect-python/cmd/protoc-gen-connect-python/main.go:72
· conf 1.00
[MINED016] Go Error Ignored: _, err := fn() with err not checked. Go anti-pattern.MINED106
Phantom test coverage (assertion-free test)
CWE-1126
packages/python-sdk/tests/bugs/test_envelope_decode.py:37
· conf 1.00
[MINED106] Phantom test coverage: test_envelope_decode: Test function `test_envelope_decode` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line cov…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
packages/python-sdk/tests/conftest.py:26
· conf 1.00
[MINED106] Phantom test coverage: test_api_key: Test function `test_api_key` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without ve…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
packages/python-sdk/tests/sync/sandbox_sync/test_timeout.py:17
· conf 1.00
[MINED106] Phantom test coverage: test_shorten_then_lengthen_timeout: Test function `test_shorten_then_lengthen_timeout` runs code but contains no assert / expect / should call — it passes regardless…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
packages/python-sdk/tests/sync/template_sync/test_build.py:44
· conf 1.00
[MINED106] Phantom test coverage: test_build_template: Test function `test_build_template` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line cover…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
packages/python-sdk/tests/sync/template_sync/test_build.py:59
· conf 1.00
[MINED106] Phantom test coverage: test_build_template_from_base_template: Test function `test_build_template_from_base_template` runs code but contains no assert / expect / should call — it passes re…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
packages/python-sdk/tests/sync/template_sync/test_build.py:65
· conf 1.00
[MINED106] Phantom test coverage: test_build_template_with_symlinks: Test function `test_build_template_with_symlinks` runs code but contains no assert / expect / should call — it passes regardless o…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
packages/python-sdk/tests/sync/template_sync/test_build.py:78
· conf 1.00
[MINED106] Phantom test coverage: test_build_template_with_resolve_symlinks: Test function `test_build_template_with_resolve_symlinks` runs code but contains no assert / expect / should call — it pas…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
packages/python-sdk/tests/sync/template_sync/test_stacktrace.py:96
· conf 1.00
[MINED106] Phantom test coverage: test_traces_on_from_image: Test function `test_traces_on_from_image` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Add…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
packages/python-sdk/tests/sync/template_sync/test_stacktrace.py:105
· conf 1.00
[MINED106] Phantom test coverage: test_traces_on_from_template: Test function `test_traces_on_from_template` runs code but contains no assert / expect / should call — it passes regardless of behaviou…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
packages/python-sdk/tests/sync/template_sync/test_stacktrace.py:113
· conf 1.00
[MINED106] Phantom test coverage: test_traces_on_from_dockerfile: Test function `test_traces_on_from_dockerfile` runs code but contains no assert / expect / should call — it passes regardless of beha…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
packages/python-sdk/tests/sync/template_sync/test_stacktrace.py:123
· conf 1.00
[MINED106] Phantom test coverage: test_traces_on_from_image_registry: Test function `test_traces_on_from_image_registry` runs code but contains no assert / expect / should call — it passes regardless…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
packages/python-sdk/tests/sync/template_sync/test_stacktrace.py:137
· conf 1.00
[MINED106] Phantom test coverage: test_traces_on_from_aws_registry: Test function `test_traces_on_from_aws_registry` runs code but contains no assert / expect / should call — it passes regardless of …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
packages/python-sdk/tests/sync/template_sync/test_stacktrace.py:151
· conf 1.00
[MINED106] Phantom test coverage: test_traces_on_from_gcp_registry: Test function `test_traces_on_from_gcp_registry` runs code but contains no assert / expect / should call — it passes regardless of …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
packages/python-sdk/tests/sync/volume_sync/test_file.py:70
· conf 1.00
[MINED106] Phantom test coverage: test_write_existing_file_without_force_raises: Test function `test_write_existing_file_without_force_raises` runs code but contains no assert / expect / should call …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
packages/python-sdk/tests/sync/volume_sync/test_file.py:144
· conf 1.00
[MINED106] Phantom test coverage: test_update_metadata_nonexistent_raises: Test function `test_update_metadata_nonexistent_raises` runs code but contains no assert / expect / should call — it passes …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
packages/python-sdk/tests/sync/volume_sync/test_file.py:167
· conf 1.00
[MINED106] Phantom test coverage: test_create_existing_directory_without_force_raises: Test function `test_create_existing_directory_without_force_raises` runs code but contains no assert / expect / …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
packages/python-sdk/tests/sync/volume_sync/test_file.py:218
· conf 1.00
[MINED106] Phantom test coverage: test_list_nonexistent_raises: Test function `test_list_nonexistent_raises` runs code but contains no assert / expect / should call — it passes regardless of behaviou…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
packages/python-sdk/tests/sync/volume_sync/test_file.py:249
· conf 1.00
[MINED106] Phantom test coverage: test_remove_nonexistent_raises: Test function `test_remove_nonexistent_raises` runs code but contains no assert / expect / should call — it passes regardless of beha…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
packages/python-sdk/tests/sync/volume_sync/test_volume.py:131
· conf 1.00
[MINED106] Phantom test coverage: test_get_info_nonexistent_volume: Test function `test_get_info_nonexistent_volume` runs code but contains no assert / expect / should call — it passes regardless of …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
packages/python-sdk/tests/test_validate_api_key.py:7
· conf 1.00
[MINED106] Phantom test coverage: test_accepts_well_formed_key: Test function `test_accepts_well_formed_key` runs code but contains no assert / expect / should call — it passes regardless of behaviou…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
packages/python-sdk/tests/test_validate_api_key.py:11
· conf 1.00
[MINED106] Phantom test coverage: test_rejects_missing_prefix: Test function `test_rejects_missing_prefix` runs code but contains no assert / expect / should call — it passes regardless of behaviour.…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
packages/python-sdk/tests/test_validate_api_key.py:16
· conf 1.00
[MINED106] Phantom test coverage: test_accepts_non_default_body_length: Test function `test_accepts_non_default_body_length` runs code but contains no assert / expect / should call — it passes regard…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
packages/python-sdk/tests/test_validate_api_key.py:20
· conf 1.00
[MINED106] Phantom test coverage: test_rejects_empty_body: Test function `test_rejects_empty_body` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds li…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
packages/python-sdk/tests/test_validate_api_key.py:25
· conf 1.00
[MINED106] Phantom test coverage: test_rejects_non_hex_body: Test function `test_rejects_non_hex_body` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Add…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
packages/python-sdk/tests/test_validate_api_key.py:30
· conf 1.00
[MINED106] Phantom test coverage: test_rejects_trailing_newline: Test function `test_rejects_trailing_newline` runs code but contains no assert / expect / should call — it passes regardless of behavi…MINED108
self.attribute used but never assigned in __init__
CWE-476
packages/python-sdk/e2b_connect/client.py:277
· conf 1.00
[MINED108] `self._prepare_unary_request` used but never assigned in __init__: Method `acall_unary` of class `Client` reads `self._prepare_unary_request`, but no assignment to it exists in __init__ (a…MINED108
self.attribute used but never assigned in __init__
CWE-476
packages/python-sdk/e2b_connect/client.py:285
· conf 1.00
[MINED108] `self._process_unary_response` used but never assigned in __init__: Method `acall_unary` of class `Client` reads `self._process_unary_response`, but no assignment to it exists in __init__ …MINED108
self.attribute used but never assigned in __init__
CWE-476
packages/python-sdk/e2b_connect/client.py:298
· conf 1.00
[MINED108] `self._prepare_unary_request` used but never assigned in __init__: Method `call_unary` of class `Client` reads `self._prepare_unary_request`, but no assignment to it exists in __init__ (an…MINED108
self.attribute used but never assigned in __init__
CWE-476
packages/python-sdk/e2b_connect/client.py:306
· conf 1.00
[MINED108] `self._process_unary_response` used but never assigned in __init__: Method `call_unary` of class `Client` reads `self._process_unary_response`, but no assignment to it exists in __init__ (…MINED108
self.attribute used but never assigned in __init__
CWE-476
packages/python-sdk/e2b_connect/client.py:341
· conf 1.00
[MINED108] `self._create_stream_timeout` used but never assigned in __init__: Method `_prepare_server_stream_request` of class `Client` reads `self._create_stream_timeout`, but no assignment to it ex…MINED108
self.attribute used but never assigned in __init__
CWE-476
packages/python-sdk/e2b_connect/client.py:376
· conf 1.00
[MINED108] `self._prepare_server_stream_request` used but never assigned in __init__: Method `acall_server_stream` of class `Client` reads `self._prepare_server_stream_request`, but no assignment to …MINED108
self.attribute used but never assigned in __init__
CWE-476
packages/python-sdk/e2b_connect/client.py:410
· conf 1.00
[MINED108] `self._prepare_server_stream_request` used but never assigned in __init__: Method `call_server_stream` of class `Client` reads `self._prepare_server_stream_request`, but no assignment to i…MINED108
self.attribute used but never assigned in __init__
CWE-476
packages/python-sdk/e2b_connect/client.py:470
· conf 1.00
[MINED108] `self.shift_buffer` used but never assigned in __init__: Method `header` of class `ServerStreamParser` reads `self.shift_buffer`, but no assignment to it exists in __init__ (and no class-l…MINED108
self.attribute used but never assigned in __init__
CWE-476
packages/python-sdk/e2b_connect/client.py:483
· conf 1.00
[MINED108] `self.header` used but never assigned in __init__: Method `parse` of class `ServerStreamParser` reads `self.header`, but no assignment to it exists in __init__ (and no class-level fallback…MINED108
self.attribute used but never assigned in __init__
CWE-476
packages/python-sdk/e2b_connect/client.py:488
· conf 1.00
[MINED108] `self.shift_buffer` used but never assigned in __init__: Method `parse` of class `ServerStreamParser` reads `self.shift_buffer`, but no assignment to it exists in __init__ (and no class-le…MINED108
self.attribute used but never assigned in __init__
CWE-476
packages/python-sdk/e2b_connect/client.py:499
· conf 1.00
[MINED108] `self.header` used but never assigned in __init__: Method `parse` of class `ServerStreamParser` reads `self.header`, but no assignment to it exists in __init__ (and no class-level fallback…MINED108
self.attribute used but never assigned in __init__
CWE-476
packages/python-sdk/e2b/connection_config.py:138
· conf 1.00
[MINED108] `self._get_request_timeout` used but never assigned in __init__: Method `get_request_timeout` of class `ConnectionConfig` reads `self._get_request_timeout`, but no assignment to it exists …MINED108
self.attribute used but never assigned in __init__
CWE-476
packages/python-sdk/e2b/connection_config.py:145
· conf 1.00
[MINED108] `self.get_host` used but never assigned in __init__: Method `get_sandbox_url` of class `ConnectionConfig` reads `self.get_host`, but no assignment to it exists in __init__ (and no class-le…MINED108
self.attribute used but never assigned in __init__
CWE-476
packages/python-sdk/e2b/connection_config.py:151
· conf 1.00
[MINED108] `self.get_host` used but never assigned in __init__: Method `get_sandbox_url` of class `ConnectionConfig` reads `self.get_host`, but no assignment to it exists in __init__ (and no class-le…MINED108
self.attribute used but never assigned in __init__
CWE-476
packages/python-sdk/e2b/connection_config.py:158
· conf 1.00
[MINED108] `self.get_host` used but never assigned in __init__: Method `get_sandbox_direct_url` of class `ConnectionConfig` reads `self.get_host`, but no assignment to it exists in __init__ (and no c…MINED108
self.attribute used but never assigned in __init__
CWE-476
packages/python-sdk/e2b/connection_config.py:160
· conf 1.00
[MINED108] `self.get_host` used but never assigned in __init__: Method `get_sandbox_direct_url` of class `ConnectionConfig` reads `self.get_host`, but no assignment to it exists in __init__ (and no c…MINED108
self.attribute used but never assigned in __init__
CWE-476
packages/python-sdk/e2b/connection_config.py:211
· conf 1.00
[MINED108] `self.get_request_timeout` used but never assigned in __init__: Method `get_api_params` of class `ConnectionConfig` reads `self.get_request_timeout`, but no assignment to it exists in __in…MINED108
self.attribute used but never assigned in __init__
CWE-476
packages/python-sdk/tests/bugs/test_envelope_decode.py:29
· conf 1.00
[MINED108] `self._wrap_pyautogui_code` used but never assigned in __init__: Method `pyautogui` of class `Desktop` reads `self._wrap_pyautogui_code`, but no assignment to it exists in __init__ (and no…MINED108
self.attribute used but never assigned in __init__
CWE-476
packages/python-sdk/tests/bugs/test_envelope_decode.py:31
· conf 1.00
[MINED108] `self.files` used but never assigned in __init__: Method `pyautogui` of class `Desktop` reads `self.files`, but no assignment to it exists in __init__ (and no class-level fallback). This r…MINED108
self.attribute used but never assigned in __init__
CWE-476
packages/python-sdk/tests/bugs/test_envelope_decode.py:33
· conf 1.00
[MINED108] `self.commands` used but never assigned in __init__: Method `pyautogui` of class `Desktop` reads `self.commands`, but no assignment to it exists in __init__ (and no class-level fallback). …MINED108
self.attribute used but never assigned in __init__
CWE-476
packages/python-sdk/tests/sync/template_sync/test_upload_file.py:20
· conf 1.00
[MINED108] `self.headers` used but never assigned in __init__: Method `do_PUT` of class `Handler` reads `self.headers`, but no assignment to it exists in __init__ (and no class-level fallback). This …MINED108
self.attribute used but never assigned in __init__
CWE-476
packages/python-sdk/tests/sync/template_sync/test_upload_file.py:21
· conf 1.00
[MINED108] `self.headers` used but never assigned in __init__: Method `do_PUT` of class `Handler` reads `self.headers`, but no assignment to it exists in __init__ (and no class-level fallback). This …MINED108
self.attribute used but never assigned in __init__
CWE-476
packages/python-sdk/tests/sync/template_sync/test_upload_file.py:22
· conf 1.00
[MINED108] `self.rfile` used but never assigned in __init__: Method `do_PUT` of class `Handler` reads `self.rfile`, but no assignment to it exists in __init__ (and no class-level fallback). This rais…MINED108
self.attribute used but never assigned in __init__
CWE-476
packages/python-sdk/tests/sync/template_sync/test_upload_file.py:24
· conf 1.00
[MINED108] `self.send_response` used but never assigned in __init__: Method `do_PUT` of class `Handler` reads `self.send_response`, but no assignment to it exists in __init__ (and no class-level fall…MINED108
self.attribute used but never assigned in __init__
CWE-476
packages/python-sdk/tests/sync/template_sync/test_upload_file.py:25
· conf 1.00
[MINED108] `self.end_headers` used but never assigned in __init__: Method `do_PUT` of class `Handler` reads `self.end_headers`, but no assignment to it exists in __init__ (and no class-level fallback…MINED110
Blocking call inside async function
CWE-833
packages/python-sdk/tests/async/sandbox_async/files/test_secured.py:17
· conf 1.00
[MINED110] Blocking call `urllib.request.urlopen` inside async function `test_download_url_with_signing`: `urllib.request.urlopen` is a synchronous (blocking) call. When invoked inside an `async def`…MINED110
Blocking call inside async function
CWE-833
packages/python-sdk/tests/async/sandbox_async/files/test_secured.py:32
· conf 1.00
[MINED110] Blocking call `urllib.request.urlopen` inside async function `test_download_url_with_signing_and_expiration`: `urllib.request.urlopen` is a synchronous (blocking) call. When invoked inside…MINED110
Blocking call inside async function
CWE-833
packages/python-sdk/tests/async/sandbox_async/files/test_secured.py:51
· conf 1.00
[MINED110] Blocking call `urllib.request.urlopen` inside async function `test_download_url_with_expired_signing`: `urllib.request.urlopen` is a synchronous (blocking) call. When invoked inside an `as…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/cli_tests.yml:30
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/cli_tests.yml:33
· conf 0.90
[MINED115] Action `wistia/parse-tool-versions` pinned to mutable ref `@v2.1.1`: `uses: wistia/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the acti…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/cli_tests.yml:40
· conf 0.90
[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/cli_tests.yml:45
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v3`: `uses: actions/setup-node@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/js_sdk_tests.yml:31
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/js_sdk_tests.yml:34
· conf 0.90
[MINED115] Action `wistia/parse-tool-versions` pinned to mutable ref `@v2.1.1`: `uses: wistia/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the acti…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/js_sdk_tests.yml:41
· conf 0.90
[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/js_sdk_tests.yml:47
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v3`: `uses: actions/setup-node@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/js_sdk_tests.yml:65
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/js_sdk_tests.yml:74
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/js_sdk_tests.yml:91
· conf 0.90
[MINED115] Action `oven-sh/setup-bun` pinned to mutable ref `@v2`: `uses: oven-sh/setup-bun@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/js_sdk_tests.yml:100
· conf 0.90
[MINED115] Action `denoland/setup-deno` pinned to mutable ref `@v1`: `uses: denoland/setup-deno@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made th…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/pkg_artifacts.yml:18
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/pkg_artifacts.yml:21
· conf 0.90
[MINED115] Action `wistia/parse-tool-versions` pinned to mutable ref `@v2.1.1`: `uses: wistia/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the acti…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/pkg_artifacts.yml:26
· conf 0.90
[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/pkg_artifacts.yml:32
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/pkg_artifacts.yml:62
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/publish_packages.yml:20
· conf 0.90
[MINED115] Action `actions/create-github-app-token` pinned to mutable ref `@v1`: `uses: actions/create-github-app-token@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the ac…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/publish_packages.yml:27
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v3`: `uses: actions/checkout@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/publish_packages.yml:32
· conf 0.90
[MINED115] Action `wistia/parse-tool-versions` pinned to mutable ref `@v2.1.1`: `uses: wistia/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the acti…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/publish_packages.yml:39
· conf 0.90
[MINED115] Action `actions/setup-python` pinned to mutable ref `@v4`: `uses: actions/setup-python@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/publish_packages.yml:44
· conf 0.90
[MINED115] Action `snok/install-poetry` pinned to mutable ref `@v1`: `uses: snok/install-poetry@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made th…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/publish_packages.yml:50
· conf 0.90
[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/publish_packages.yml:56
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/publish_packages.yml:81
· conf 0.90
[MINED115] Action `changesets/action` pinned to mutable ref `@v1`: `uses: changesets/action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
codegen.Dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `golang:1.23` not pinned by digest: `FROM golang:1.23` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potent…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
codegen.Dockerfile:11
· conf 0.90
[MINED118] Dockerfile FROM `python:3.10` not pinned by digest: `FROM python:3.10` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potent…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
packages/cli/testground/demo-basic/Dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `ubuntu:latest` not pinned by digest: `FROM ubuntu:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is po…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
packages/cli/tests/commands/template/fixtures/complex-python/e2b.Dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `python:3.11-slim` not pinned by digest: `FROM python:3.11-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
packages/cli/tests/commands/template/fixtures/copy-variations/e2b.Dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `alpine:latest` not pinned by digest: `FROM alpine:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is po…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
packages/cli/tests/commands/template/fixtures/custom-commands/e2b.Dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `node:18` not pinned by digest: `FROM node:18` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially di…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
packages/cli/tests/commands/template/fixtures/minimal-dockerfile/e2b.Dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `ubuntu:latest` not pinned by digest: `FROM ubuntu:latest` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is po…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
packages/cli/tests/commands/template/fixtures/multiple-env/e2b.Dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `node:18` not pinned by digest: `FROM node:18` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially di…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
packages/cli/tests/commands/template/fixtures/multi-stage/e2b.Dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `node:18` not pinned by digest: `FROM node:18` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potentially di…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
packages/cli/tests/commands/template/fixtures/multi-stage/e2b.Dockerfile:5
· conf 0.90
[MINED118] Dockerfile FROM `node:18-slim` not pinned by digest: `FROM node:18-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is pote…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
packages/cli/tests/commands/template/fixtures/start-cmd/e2b.Dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `python:3.11` not pinned by digest: `FROM python:3.11` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is potent…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
packages/js-sdk/tests/integration/template/e2b.Dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `e2bdev/code-interpreter:latest` not pinned by digest: `FROM e2bdev/code-interpreter:latest` resolves the tag at build time. The registry CAN re-push a different image for …MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
templates/base/e2b.Dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `python:3.11.6` not pinned by digest: `FROM python:3.11.6` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is po…AGT005
Calendar/event date parsing can crash on malformed persisted data
packages/cli/src/commands/sandbox/list.ts:98
· conf 0.76
Calendar/event date parsing can crash on malformed persisted dataAGT005
Calendar/event date parsing can crash on malformed persisted data
packages/js-sdk/src/sandbox/sandboxApi.ts:854
· conf 0.76
Calendar/event date parsing can crash on malformed persisted dataAGT012
Agent control bridge may listen on a network interface without visible auth
packages/python-sdk/e2b/sandbox_async/main.py:195
· conf 0.72
Agent control bridge may listen on a network interface without visible authAGT012
Agent control bridge may listen on a network interface without visible auth
packages/python-sdk/e2b/sandbox/sandbox_api.py:1
· conf 0.72
Agent control bridge may listen on a network interface without visible authAGT012
Agent control bridge may listen on a network interface without visible auth
packages/python-sdk/e2b/sandbox_sync/main.py:193
· conf 0.72
Agent control bridge may listen on a network interface without visible authAUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
packages/python-sdk/e2b/api/__init__.py:99
· conf 0.95
[COMP001] High cognitive complexity: Function `__init__` has cognitive complexity 16 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested bra…DKR001
Docker final stage has no non-root USER
packages/cli/testground/demo-basic/Dockerfile:1
· conf 0.82
Docker final stage has no non-root USERDKR003
Dockerfile base image uses the latest tag
packages/cli/testground/demo-basic/Dockerfile:1
· conf 0.94
Dockerfile base image uses the latest tagDKR007
Docker build context has no .dockerignore
.dockerignore
· conf 0.90
Docker build context has no .dockerignoreERR001
[ERR001] Silent Exception Swallowing (and 2 more): Same pattern found in 2 additional files. Review if needed.
packages/python-sdk/e2b/sandbox_async/commands/command_handle.py:143
· conf 1.00
[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.ERR001
[ERR001] Silent Exception Swallowing (and 2 more): Same pattern found in 2 additional files. Review if needed.
packages/python-sdk/e2b/sandbox_async/filesystem/watch_handle.py:39
· conf 1.00
[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.ERR001
[ERR001] Silent Exception Swallowing (and 2 more): Same pattern found in 2 additional files. Review if needed.
packages/python-sdk/e2b/template/dockerfile_parser.py:276
· conf 1.00
[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
packages/cli/src/commands/sandbox/create.ts:116
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.MINED109
Mutable default argument
CWE-1023
packages/python-sdk/e2b/template_async/build_api.py:203
· conf 1.00
[MINED109] Mutable default argument in `wait_for_build_finish` (list): `def wait_for_build_finish(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shar…MINED109
Mutable default argument
CWE-1023
packages/python-sdk/e2b/template_sync/build_api.py:202
· conf 1.00
[MINED109] Mutable default argument in `wait_for_build_finish` (list): `def wait_for_build_finish(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shar…MINED111
Bare except continues silently
packages/python-sdk/e2b/sandbox_async/commands/command_handle.py:163
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
packages/python-sdk/e2b/sandbox_async/filesystem/watch_handle.py:61
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
packages/python-sdk/e2b/sandbox_async/git.py:144
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
packages/python-sdk/e2b/sandbox_async/git.py:210
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
packages/python-sdk/e2b/sandbox_async/git.py:224
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
packages/python-sdk/e2b/sandbox/_git/parse.py:41
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
packages/python-sdk/e2b/sandbox/_git/parse.py:46
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
packages/python-sdk/e2b/sandbox_sync/commands/command_handle.py:123
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
packages/python-sdk/e2b/sandbox_sync/git.py:144
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
packages/python-sdk/e2b/sandbox_sync/git.py:231
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
packages/python-sdk/e2b/sandbox_sync/git.py:245
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
packages/python-sdk/e2b/template/utils.py:348
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
packages/python-sdk/tests/async/sandbox_async/files/test_files_list.py:151
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
packages/python-sdk/tests/async/template_async/test_stacktrace.py:78
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
packages/python-sdk/tests/sync/sandbox_sync/files/test_files_list.py:151
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
packages/python-sdk/tests/sync/template_sync/test_stacktrace.py:78
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED124
requirements.txt entry has no version pin
CWE-1357
packages/connect-python/requirements-dev.txt:3
· conf 0.90
[MINED124] requirements.txt: `ruff` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, ac…MINED124
requirements.txt entry has no version pin
CWE-1357
packages/connect-python/requirements-dev.txt:4
· conf 0.90
[MINED124] requirements.txt: `build` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, a…MINED124
requirements.txt entry has no version pin
CWE-1357
packages/connect-python/requirements-dev.txt:5
· conf 0.90
[MINED124] requirements.txt: `twine` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats, a…SEC034
Log Injection / Log Forging — unsanitized user input in log
packages/python-sdk/e2b/api/client_async/__init__.py:26
· conf 1.00
[SEC034] Log Injection / Log Forging — unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\n` to forge fake log entries, hide tra…SEC034
Log Injection / Log Forging — unsanitized user input in log
packages/python-sdk/e2b/api/client_sync/__init__.py:26
· conf 1.00
[SEC034] Log Injection / Log Forging — unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\n` to forge fake log entries, hide tra…SEC034
Log Injection / Log Forging — unsanitized user input in log
packages/python-sdk/e2b/api/__init__.py:177
· conf 1.00
[SEC034] Log Injection / Log Forging — unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\n` to forge fake log entries, hide tra…SEC045
eval()/exec() on stored or user-supplied data
packages/js-sdk/src/undici.ts:16
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC068
Dockerfile: base image uses :latest or no tag
packages/python-sdk/e2b/template/dockerfile_parser.py:5
· conf 1.00
[SEC068] Dockerfile: base image uses :latest or no tag: FROM uses :latest or no tag — builds are not reproducible and may pull a compromised parent image. Ported from trivy DS001 (Apache-2.0).WEB003
Public web service has no security.txt
.well-known/security.txt
· conf 0.78
Public web service has no security.txtAIC003
Duplicated implementation block across source files
packages/js-sdk/src/envd/http2.ts:51
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/js-sdk/src/envd/process/process_pb.ts:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/python-sdk/e2b/api/client/api/sandboxes/get_sandboxes_metrics.py:26
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/python-sdk/e2b/api/client/api/sandboxes/get_sandboxes_sandbox_id_logs.py:28
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/python-sdk/e2b/api/client/api/sandboxes/get_sandboxes_sandbox_id_logs.py:29
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/python-sdk/e2b/api/client/api/sandboxes/get_sandboxes_sandbox_id_metrics.py:36
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/python-sdk/e2b/api/client/api/sandboxes/get_sandboxes_sandbox_id.py:22
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/python-sdk/e2b/api/client/api/sandboxes/get_v2_sandboxes.py:32
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/python-sdk/e2b/api/client/api/sandboxes/get_v_2_sandboxes_sandbox_id_logs.py:42
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/python-sdk/e2b/api/client/api/sandboxes/get_v_2_sandboxes_sandbox_id_logs.py:43
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/python-sdk/e2b/api/client/api/sandboxes/post_sandboxes.py:27
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/python-sdk/e2b/api/client/api/sandboxes/post_sandboxes_sandbox_id_connect.py:31
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/python-sdk/e2b/api/client/api/sandboxes/post_sandboxes_sandbox_id_connect.py:34
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/python-sdk/e2b/api/client/api/sandboxes/post_sandboxes_sandbox_id_connect.py:40
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/python-sdk/e2b/api/client/api/sandboxes/post_sandboxes_sandbox_id_pause.py:14
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/python-sdk/e2b/api/client/api/sandboxes/post_sandboxes_sandbox_id_refreshes.py:23
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/python-sdk/e2b/api/client/api/sandboxes/post_sandboxes_sandbox_id_resume.py:28
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/python-sdk/e2b/api/client/api/sandboxes/post_sandboxes_sandbox_id_resume.py:37
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/python-sdk/e2b/api/client/api/sandboxes/post_sandboxes_sandbox_id_resume.py:42
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/python-sdk/e2b/api/client/api/sandboxes/post_sandboxes_sandbox_id_snapshots.py:29
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/python-sdk/e2b/api/client/api/sandboxes/post_sandboxes_sandbox_id_snapshots.py:30
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/python-sdk/e2b/api/client/api/sandboxes/post_sandboxes_sandbox_id_snapshots.py:33
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/python-sdk/e2b/api/client/api/sandboxes/post_sandboxes_sandbox_id_timeout.py:19
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/python-sdk/e2b/api/client/api/sandboxes/post_sandboxes_sandbox_id_timeout.py:23
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/python-sdk/e2b/api/client/api/sandboxes/put_sandboxes_sandbox_id_network.py:17
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/python-sdk/e2b/api/client/api/sandboxes/put_sandboxes_sandbox_id_network.py:21
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/python-sdk/e2b/api/client/api/sandboxes/put_sandboxes_sandbox_id_network.py:22
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/python-sdk/e2b/api/client/api/tags/delete_templates_tags.py:26
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/python-sdk/e2b/api/client/api/tags/delete_templates_tags.py:29
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/python-sdk/e2b/api/client/api/tags/post_templates_tags.py:26
· conf 0.86
Duplicated implementation block across source filesCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
packages/python-sdk/e2b/api/client/api/sandboxes/get_sandboxes.py:32
· conf 0.95
[COMP001] High cognitive complexity: Function `_parse_response` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nest…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
packages/python-sdk/e2b/api/__init__.py:39
· conf 0.95
[COMP001] High cognitive complexity: Function `handle_api_exception` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand —…SEC075
Dockerfile: no HEALTHCHECK
packages/js-sdk/src/template/dockerfileParser.ts:1
· conf 1.00
[SEC075] Dockerfile: no HEALTHCHECK: No HEALTHCHECK directive — orchestrators can't detect a wedged process. Ported from trivy DS026 / checkov CKV_DOCKER_2 (Apache-2.0). Implement file-level: skip if…SEC075
Dockerfile: no HEALTHCHECK
packages/python-sdk/e2b/template/dockerfile_parser.py:1
· conf 1.00
[SEC075] Dockerfile: no HEALTHCHECK: No HEALTHCHECK directive — orchestrators can't detect a wedged process. Ported from trivy DS026 / checkov CKV_DOCKER_2 (Apache-2.0). Implement file-level: skip if…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
[COMP001] High cognitive complexity (and 34 more): Same pattern found in 34 additional files. Review if needed.MINED001
Bare Except Pass
CWE-755
[MINED001] Bare Except Pass (and 1 more): Same pattern found in 1 additional files. Review if needed.MINED043
Http Not Https
CWE-319
packages/js-sdk/src/connectionConfig.ts:244
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
packages/python-sdk/e2b/connection_config.py:145
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
[MINED044] Js Console Log Prod (and 31 more): Same pattern found in 31 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
packages/cli/src/api.ts:55
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
packages/cli/src/commands/auth/configure.ts:22
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
packages/cli/src/commands/auth/info.ts:13
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED045
Ts Non Null Assertion
CWE-476
packages/cli/src/commands/template/buildWithProxy.ts:108
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
packages/js-sdk/src/envd/rpc.ts:45
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
packages/js-sdk/src/undici.ts:31
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED050
Stub Only Function
CWE-1188
[MINED050] Stub Only Function (and 12 more): Same pattern found in 12 additional files. Review if needed.MINED050
Stub Only Function
CWE-1188
packages/python-sdk/e2b/api/client/models/created_team_api_key.py:117
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
packages/python-sdk/e2b/api/client/models/new_sandbox.py:155
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
packages/python-sdk/e2b/api/client/models/team_api_key.py:110
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED052
Ts Any Typed
CWE-704
[MINED052] Ts Any Typed (and 20 more): Same pattern found in 20 additional files. Review if needed.MINED052
Ts Any Typed
CWE-704
packages/cli/src/commands/sandbox/connect.ts:26
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
packages/cli/src/commands/sandbox/create.ts:86
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
packages/cli/src/commands/sandbox/exec.ts:93
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED054
Ts As Any
CWE-704
packages/cli/src/index.ts:30
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
packages/js-sdk/src/utils.ts:16
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED062
Python Dataclass No Fields
[MINED062] Python Dataclass No Fields (and 5 more): Same pattern found in 5 additional files. Review if needed.MINED062
Python Dataclass No Fields
packages/python-sdk/e2b/sandbox/commands/command_handle.py:20
· conf 1.00
[MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.MINED062
Python Dataclass No Fields
packages/python-sdk/e2b/sandbox/commands/main.py:5
· conf 1.00
[MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.MINED062
Python Dataclass No Fields
packages/python-sdk/e2b/sandbox/_git/types.py:5
· conf 1.00
[MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.SEC020
Secret Printed to Logs
packages/cli/src/api.ts:55
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 10 more): Same pattern found in 10 additional files. Review if needed.SEC034
Log Injection / Log Forging — unsanitized user input in log
[SEC034] Log Injection / Log Forging — unsanitized user input in log (and 2 more): Same pattern found in 2 additional files. Review if needed.SEC128
Async function without await — fire-and-forget Promise (AI mistake)
[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 80 more): Same pattern found in 80 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/40abc3d1-0134-4adb-a0b0-f6d2e010ea31/.